2 configuration commands, 1 dos-control sipdip, 2 dos-control tcpfrag – Fortinet 548B User Manual

- 302 -

TCP SYN Mode: May be enabled or disabled. The factory default is disabled.

TCP SYN&FIN Mode: May be enabled or disabled. The factory default is disabled.

First Fragment Mode: May be enabled or disabled. The factory default is disabled.

TCP Fragment Offset Mode: May be enabled or disabled. The factory default is disabled.

7.13.2 Configuration Commands

7.13.2.1 dos-control sipdip

This command enables Source IP Address = Destination IP Address (SIP=DIP) Denial of Service
protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets
ingress with SIP=DIP, the packets will be dropped if the mode is enabled.

Syntax

dos-control sipdip
no dos-control sipdip

no - This command disables Source IP Address = Destination IP Address (SIP=DIP) Denial of
Service prevention.

Default Setting

Disabled

Command Mode

Global Config

7.13.2.2 dos-control tcpfrag

This command enables Minimum TCP Header Size Denial of Service protection. If the mode is enabled,
Denial of Service prevention is active for this type of attack. If packets ingress having a TCP Header Size
smaller then the configured value, the packets will be dropped if the mode is enabled. The default is
disabled. If you enable dos-control tcpfrag, but do not provide a Minimum TCP Header Size, the system
sets that value to 20.

Syntax

dos-control tcpfrag [<0-255>]
no dos-control tcpfrag

<0-255> - This command sets minimum TCP header length